This IAM policy allows CodeBuild to push images to Amazon ECR. Use this policy to grant CodeBuild the necessary permissions to access your ECR repository.

IAM Policy for CodeBuild ECR Access

Below is the JSON representation of the IAM policy. This policy grants permissions to get authorization tokens, initiate layer uploads, upload layer parts, complete layer uploads, check layer availability, and put images into your ECR repository.

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Action": [
          "ecr:GetAuthorizationToken",
          "ecr:InitiateLayerUpload",
          "ecr:UploadLayerPart",
          "ecr:CompleteLayerUpload",
          "ecr:BatchCheckLayerAvailability",
          "ecr:PutImage"
        ],
        "Resource": [
          "arn:aws:ecr:eu-west-1:xxxxxxxxxxxx:repository/myrepo"
        ]
      }
    ]
}

Explanation of Permissions

This policy includes the following permissions:

• ecr:GetAuthorizationToken: Allows CodeBuild to retrieve an authentication token to authenticate with ECR.
• ecr:InitiateLayerUpload: Allows CodeBuild to initiate the upload of a new image layer.
• ecr:UploadLayerPart: Allows CodeBuild to upload parts of an image layer.
• ecr:CompleteLayerUpload: Allows CodeBuild to finalize the upload of an image layer.
• ecr:BatchCheckLayerAvailability: Allows CodeBuild to check the availability of image layers.
• ecr:PutImage: Allows CodeBuild to put (upload) an image into the ECR repository.

How to Use This Policy

1. Create an IAM role for your CodeBuild project.
2. Attach this policy to the IAM role.
3. Replace arn:aws:ecr:eu-west-1:xxxxxxxxxxxx:repository/myrepo with the actual ARN of your ECR repository.
4. Configure your CodeBuild project to use the IAM role.

Additional Resources

For more information about AWS IAM policies and Amazon ECR, refer to the following resources:

• AWS IAM Policies Documentation
• Amazon ECR IAM Policies